From debbugs-submit-bounces@debbugs.gnu.org Wed May 17 08:56:29 2017 Received: (at 26948) by debbugs.gnu.org; 17 May 2017 12:56:29 +0000 Received: from localhost ([127.0.0.1]:49705 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dAyVA-0004I5-U9 for submit@debbugs.gnu.org; Wed, 17 May 2017 08:56:29 -0400 Received: from eggs.gnu.org ([208.118.235.92]:57974) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dAyV9-0004Ht-NL for 26948@debbugs.gnu.org; Wed, 17 May 2017 08:56:27 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dAyV1-0007WT-B2 for 26948@debbugs.gnu.org; Wed, 17 May 2017 08:56:22 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:58353) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dAyV1-0007WN-7d; Wed, 17 May 2017 08:56:19 -0400 Received: from reverse-83.fdn.fr ([80.67.176.83]:47848 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dAyV0-0003Yu-Gr; Wed, 17 May 2017 08:56:19 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Maxim Cournoyer Subject: Re: bug#26948: gnutls errors on multiple guix commands References: <8737c51e6r.fsf@gmail.com> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 28 =?utf-8?Q?Flor=C3=A9al?= an 225 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Wed, 17 May 2017 14:56:15 +0200 In-Reply-To: <8737c51e6r.fsf@gmail.com> (Maxim Cournoyer's message of "Mon, 15 May 2017 22:19:26 -0700") Message-ID: <87shk3y74g.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 26948 Cc: 26948@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Hi Maxim, Maxim Cournoyer skribis: > This problem has been ongoing for some time. It prevents me from using > things such as "guix lint" or "guix import" (seems to be related to > certs and gnutls). I thought a guix system reconfigure (I'm on GuixSD) > would fix it but it hasn't, even after rebooting the system. > > It is reminiscent of bug#25200, but there doesn't appear to be any > dangling symlinks this time around. > > The nss-certs package is present in my operating system declaration, and > the /etc/ssl/certs directory is populated ('/etc/ssl' is a symbolic link > pointing to /run/current-system/profile/etc/ssl). > > SSL_CERT_DIR is set to "/etc/ssl/certs" > SSL_CERT_FILE is set to "/etc/ssl/certs/ca-certificates.crt" > > > A couple examples of how things break: > > * guix lint > > guix lint emacs > Backtrace:macs@25.2 [cve]... > 9 (primitive-load "/gnu/store/80k8kz7qk9palbn0ccw7y3fgym8&") > In guix/ui.scm: > 1257:8 8 (run-guix-command _ . _) > In srfi/srfi-1.scm: > 640:9 7 (for-each # &) > In guix/scripts/lint.scm: > 982:4 6 (run-checkers _ _) > In srfi/srfi-1.scm: > 640:9 5 (for-each # &) > In guix/scripts/lint.scm: > 805:4 4 (check-vulnerabilities _) > 800:9 3 (_ _) > In unknown file: > 2 (force #) > In guix/scripts/lint.scm: > 789:24 1 (_) > In ice-9/boot-9.scm: > 837:9 0 (catch srfi-34 # &) > > ice-9/boot-9.scm:837:9: In procedure catch: > ice-9/boot-9.scm:837:9: Throw to key `gnutls-error' with args `(# set-certificate-credentials-x509-trus= t-file!)'. So the problem here is that $SSL_CERT_DIR or $SSL_CERT_FILE is unreadable for some reason. Could you =E2=80=98strace=E2=80=99 it to see e= xactly which file cannot be opened and why? However, I cannot reproduce it with current master: --8<---------------cut here---------------start------------->8--- $ rm -rf ~/.cache/guix/cve $ SSL_CERT_FILE=3D/sdfsfd SSL_CERT_DIR=3D/sdfs guix lint emacs gnu/packages/emacs.scm:99:2: emacs@25.2: TLS certificate error: ERROR: X.50= 9 certificate of 'www.gnu.org' could not be verified: signer-not-found invalid guix lint: warning: TLS certificate error: ERROR: X.509 certificate of 'sta= tic.nvd.nist.gov' could not be verified: signer-not-found invalid guix lint: warning: assuming no CVE vulnerabilities --8<---------------cut here---------------end--------------->8--- This is the same story for the other ones. Essentially, this code from (guix build download): (define (make-credendials-with-ca-trust-files directory) "Return certificate credentials with X.509 authority certificates read = from DIRECTORY. Those authority certificates are checked when 'peer-certificate-status' is later called." (let ((cred (make-certificate-credentials)) (files (or (scandir directory (lambda (file) (string-suffix? ".pem" file))) '()))) (for-each (lambda (file) (let ((file (string-append directory "/" file))) ;; Protect against dangling symlinks. (when (file-exists? file) (set-certificate-credentials-x509-trust-file! cred file x509-certificate-format/pem)))) (or files '())) cred)) seems to select a FILE that passes =E2=80=98file-exists?=E2=80=99 but that = cannot be read by =E2=80=98set-certificate-credentials-x509-trust-file!=E2=80=99. I = think that can happen with unreadable files (EPERM), though I can=E2=80=99t reproduce = it. The =E2=80=98strace=E2=80=99 output should help us figure out what=E2=80=99= s going on. Thanks, Ludo=E2=80=99.